-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attn: Anonymous Thank you for your comments with regards to the Freedom project. I would like to respond to some of the points you have brought up.
-----Original Message----- From: HyperReal-Anon [mailto:nobody@sind.hyperreal.art.pl] Sent: Friday, November 06, 1998 7:30 PM To: austin@zks.net Subject:
Attn: Austin Hill Zero Knowledge Systems, Inc. 3981 St. Laurent Blvd. Suite 810 Montr=E9al, Qu=E9bec H2W 1Y5 Canada 514.286.2636 phone 514.286.2755 fax
Mr. Hill:
Congratulations. I hope your name goes down in history for being involved in creating and operating FREEDOM.net
Additional suggestions for the FREEDOM.NET concept:
1) Undoubtedly, after your client software is developed and deployed there will be nations run by legislators and politicians with evil intentions to continue to restrict and sabotage the privacy of individuals. If your software already has flexible measures coded into it to counter these evil forces, privacy seeking citizens from affected nations will prevail.
For the client side software, it would be extremely useful to have a feature (or an input field) where users can view their IP hops (traceroutes), but more important to allow users to BYPASS all local FREEDOM servers in their home country (example: if terrible laws are passed like in the Netherlands requiring logging and storage of all packet info., etc.). In this manner, a local user in a restrictive nation could set their client to BYPASS all local FREEDOM servers, accessing only FREEDOM servers in the nearest friendly nation which protects privacy of users and allows FREEDOM servers to operate AS YOU DESIGNED THEM. Even the FSU of Russia has already begun to implement "black box" requirements at every ISP (only Internet by satellite will bypass this ?)
Example:
<Box to check> **Bypass local FREEDOM SERVER** Enter the IP address of first FREEDOM server to route through__________________________________ (user fills in this blank)
Route definitions for use of AnonymousIP nodes is COMPLETELY configurable. A user of Freedom can define preferred exit hops (i.e. 'Make all my pseudonyms IP traffic come from country X'); server's to avoid (i.e. 'Never use any Freedom node in country X'); and some rather advanced custom configurations (i.e. 'Always make my exit hop of of the following countries, use the fastest and best routing point for my first hop and make my middle hop one of the following trusted nodes') With regards to countries such as the Netherlands; and Russia these laws will have no effect on Freedom users. Since all IP traffic leaves the local computer anonymized and multiply encrypted with the different keys for different hops a local ISP that is logging all traffic as per government rules will only be able to log encrypted data and be able to reveal that this user is using Freedom. The ability to define the destination or content of that Internet traffic is not possible. As well, due to the features we have included for traffic analysis foiling, both packets and links are padded to avoid traffic correlation's. Even if an all powerful network attacker with the ability to watch all incoming and outgoing connections to all Freedom nodes attempts to correlate traffic patterns, they will not be able to reveal the true identity behind the pseudonym. The user interface for controlling the Freedom node selection and some of these rules is designed to make it COMPLETELY transparent and easy for the average Internet user. There will be an advanced mode that allows more advanced users to built custom routing profiles that they can associate with a particular pseudonym or with particular destination sites. (i.e. Whenever I browse 'www.playboy.com' use pseudonym 'playboyfan' and routing profile 'Fast routing, no rules except exit hop cannot be in the following Muslim countries').
2) It is very possible government spy agencies will secretly arrange for spy friendly ISP's to obtain your software and setup FREEDOM servers in their nation. Then, they could write or modify code to intercept and decrypt incoming packets of data BEFORE it hit the FREEDOM servers. Can you write secret "test" code or test packets such that you can send out packets from your Canadian headquarters to test all FREEDOM servers deployed worldwide to detect all forms of tampering, and if detected, send emergency emails and post on newgroups the violators ?
3) Curiously, what if Canadian legislators / politicians create laws similar to what the Dutch parliment enacted recently ? Would you move your entire company to another nation ? Or, would you have to move
This is essentially the hostile root/hostile node attack. Ultimately we have decided that protecting against a hostile root or node is infeasible. (i.e. Whatever attempts we make to make it impossible to have a hostile node, do not justify themselves because they are not completely effective) We do employ some simple protections to try and avoid amateur hostile nodes (Valid binary checking, periodic unannounced audits for nodes) but a sophisticated and well financed attacker could and most likely will operate a number of nodes in the network. To compromise the identity behind a pseudonym, an attacker would have to control or collude with all the nodes you use in a particular AnonymousIP route. Since a user by default uses three hops, and can configure specific nodes that they trust this reduces the possibility of a single node or a groups of nodes being able to work to compromise a pseudonyms privacy. (i.e. If you decide based on reputation to trust Zero-Knowledge, you might enter into your preferences to always use at least one Zero-Knowledge server in your AnonymousIP routers. This means that as long as that Zero-Knowledge server does not have a hostile root or that we have not been subverted that your identity is protected. You may choose to chain trusted servers (i.e. Use Zero-Knowledge, TOAD.COM and EFF.ORG servers (TOAD.COM; EFF.ORG are just examples - They are not to imply that they are currently committed to operate Freedom nodes) for all my anonymous routes.) Also because Freedom node operators are rewarded financially to operate Freedom nodes, we've found incredible interest in the ISP community to operate Freedom nodes. This will help to increase the total number of Freedom nodes in the network, making it that much harder for a hostile attacker to operate a large percentage of nodes in the network. (i.e. 'If there are only 10 nodes in the network, running 40% of them is quite easy. If there are 700 nodes in the network and a user only needs 3 of them, owning enough of those 700 nodes to have a reasonable chance at always being all 3 hops is less likely.) the
FREEDOM net server headquarters to another nation ? It seems very important initially to setup FREEDOM servers in as many nations as possible to counteract such attempts to destroy the right to internet privacy.
Canada has proven quite committed to the privacy of its citizens and has demonstrated its support for Canada's growing cryptography industries. Many leading cryptography companies are now setup in Canada and able to export strong cryptography without restriction. We believe that Canada will remain a friendly country in which to develop our products and distribute them around the world. In the event that the US or another country were able to convince Canada to ban anonymity/pseudonymity online; or make it illegal to provide these services there are plans and provisions we have made to ensure we are able to continue to provide service to our customers. Because of the distributed nature of the system, it would take a global effort among all countries to ban and make Freedom illegal (A nice soundbyte waiting to happen ;) The US would have a difficult time (According to our lawyers) passing a law making anonymity/pseudonymity illegal or banning the domestic use of encryption products like Freedom. Ultimately this will be another example of 'the cats out of the bag'. There will most likely be some fights because this will be the first time that completely pseudonymous digital identities will be accessible to the layman; or average Internet user - and the technical sophistication of AnonymousIP with pseudonymous identities mapped on top will pose a serious challenge for some government initiatives. But we will be attempting to educate law enforcement; government officials that this tool will be the primary and most effective way of protecting children online (From stalkers and aggressive marketing profiles); protecting privacy (Both archived histories that we cannot separate ourselves from; multiple roles we have that are difficult to separate online right now and privacy from aggressive marketing) and protecting free speech and human rights on a global level. For this education process to be effective, we will need to help government understand that there are better ways of using traditional law enforcement techniques to accomplish their goals. This is the same process that many of the cypherpunks; privacy advocacy groups and lobbyists have already been doing and we will work on supporting those efforts. Initially we will have servers deployed in MANY countries and we have an aggressive marketing plan to ensure that we have high penetration of servers very quickly after we release.
4) I urge you to try and think ahead, designing as many countermeasures as possible into the first initial version of client software, making it as easy as possible for users to circumvent any harmful measures taken by the evil forces of the dark side.
We have designed the system to be as versatile as possible and as hard to shut down as possible. We have included provisions (Might not be in version 1, but can be applied very quickly after) to circumvent country level firewalls or proxy servers so that countries that attempt to ban all IP traffic to the Freedom network will encounter many difficulties. While this is not likely in most North American or European countries (Although the US many attempt it when they implement ISP blocking provisions for offshore gambling sites (Online Gambling Act)and realize that Freedom clients can bypass ISP political filtering of sites) in certain other countries around the world, the initial reaction will be to ban Freedom and add it to a list of filtered sites. Since some of these countries are the ones that have citizens who in the most urgent need of unlimited access to Free Speech, total privacy for their browsing and online activities and the ability to communicate secretly - we've made it very difficult for any country to ban our traffic.
5) A PARADOX awaits - Serious privacy advocates will want to "test" your system. One such test would be to sign up and operate as as a spammer, and use your system to pass on SPAM, or what about malicious hackers ? If that person is identified or revealed by you, then your system has been revealed as not a true anonymous system, and there will be a media feeding frenzy exposing it. But if it IS a truely anonymous system, you will have no way to identify and locate
spammers
or malicious hackers.
The SPAM dilemma was one of the more difficult ones that we faced in designing the project. We were aware that if we could not manage the abuse (Spam, harassment, Anonymous hack attempts) then we would quickly become 'blackballed' for most services and a few bad apples could affect all of our legitimate users. We could not have the option of knowing who to hold responsible for abuse because that would include our holding some sort of identity escrow which we specifically did not want and designed the system to make impossible. The alternative we decided on was to invest significantly on making abuse easier through other networks than the Freedom network. Some of the ways we've accomplished this; - -Designed the entire system around untraceable pseudonymity as opposed to anonymity. This re-enforces the reputation capital aspect of having a pseudonym. In general we hope this will promote people who have made an investment in a pseudonym (Both in time, and money) to be careful about how badly the affect the online reputation of that pseudonym. - -Associated a direct cost with a pseudonym By having a cost associated with a pseudonym, many people who would normally take liberties in abusing Internet communication will/do hesitate, since there is the potential of losing that financial investment. - -Forcing 'nymserver' like features of having all outgoing e-mail pass through the Freedom server, signed by both the pseudonym and the Freedom network key to avoid forged spam baiting mail. - -Allowing end users to have destination blocking per recipient and making it easy for them to request not to receive e-mail from a particular pseudonym. (In cases of harassment) - -Developing sophisticated SPAM blocking systems to make our network VERY VERY unfriendly to pseudonyms attempting to send SPAM. (i.e. Max per day recipients limits of 500 or so people; with the limit automatically adjusting to deal with averages of all pseudonyms and number of confirmed spam complaints.) Bulk mailers will have the option of purchasing a more expensive pseudonym that removes any daily limits for recipients but has strict cancellation policies for unsolicited spam (This enables an underground Zine that publishes anonymously to sent out an edition every Friday to 15,000 people; but if someone buys one of the bulk mailing pseudonyms (Around $500+/year) and abuses by sending a massive SPAM we will confirm the spam complaints (Based on digital sig on headers and message) and then have the right to cancel the pseudonyms (Resulting in the Spammer paying $500+ to deliver one spam to many people then losing that pseudonym.) This makes it cheaper to SPAM from other free services or open mail relay systems thereby diverting hard core spammers from making the Freedom network their home. - -Anonymous Telnet host blocking (Site administrators can work with us to block anonymous telnet to their sites) allowing certain sites such as MUDs and Telnet BBS's to allow access but corporate/university sites to restrict access for anonymous telnet. We hope with these and other systems we have taken the time to develop it will help mitigate or reduce the potential of a few malicious users to harm the legitimate Freedom users. Ultimately we have only once choice in dealing with abuse, canceling the pseudonym which will cause a financial loss for someone as well as killing that 'nym and any reputation it has gathered. The terms under which we will cancel a pseudonym will be very clearly posted, and the only other time is when a government agency (Canadian) issues us a court order to turn off a pseudonym. There is NO MEANS possible for us to reveal the identity of a user (Thereby avoiding some of the Penet.Fi style attacks).
6) It seems unfortunate that some of the larger, "holier than thou, self righteous" worldwide ISP's (like AOL) will be frustrated at FREEDOM net not being able to identify who the spammers or hackers are, and then BLOCK FREEDOM net packets from going through their servers, starting little electronic wars. These "blocking wars" have already occured from time to time.
Hopefully with the abuse management tools we've made available we will cut off any attempts to block or ban our service. If certain domains/admins feel they still wish to ban Freedom traffic we would work with them to address whatever concerns we can to help restore good routing relations, but in the end it will be up to our users to fight for FREEDOM, if anyone attempts to take it away. Strong letter writing campaigns, boycotts and media attention should all help pressure certain organizations to deal with us on any complaints or issues they have and not treat pseudonyms as second class online citizens. Ultimately this service and peoples pseudonymous digital identities will be as valuable as they make them. By using them frequently, lobbying sites to support pseudonymous identities (For instance for one click authentication and login to web sites), and making sure the get ALL their friends to use pseudonyms then it becomes REALLY difficult to shut the service down or silence millions of users. If there is a small uptake and we only have 100,000 pseudonyms it would be possible to shut the service down without a lot of noise (We'll make as much as we can, but ultimately our users have to help). With 12 million pseudonyms registered and all of them making as much noise as possible to fight any attempts to ban Freedom, there will by a lot more chance of making Freedom completely ubiquitous.
7) It would really be useful for your staff to address questions/ concerns like these and others by creating pages regarding these matters on your website.
Hopefully, you are on some of the lists that I am responding to your e-mail with. Most of this information will be posted in time to our web site, but the FAQ's and whitepapers describing most of this are not ready for publication on the web yet.
Anonymously Yours,
P.S. I will only feel comfortable revealing my anonymous self to you by way of my psuedonym, when I sign up with your service, which I
hope
to do as soon as FREEDOM net is ready.
Thanks for the interest and comments. I hope I've been able to answer most of your questions. ________________________________________________________________________ _ Austin Hill Zero-Knowledge Systems Inc. President Montreal, Quebec Phone: 514.286.2636 Ext. 226 Fax: 514.286.2755 E-mail: austin@zks.net http://www.zks.net Zero Knowledge Systems Inc. - Nothing Personal Changing the world with Zero Knowledge PGP Fingerprints 2.6.3i = 3F 42 A2 0D AF 78 20 ED A2 BB AD BE 8B 40 5E 64 5.5.3i = 77 1E 62 21 B3 F0 EB C0 AA 6C 65 30 56 CA BA C4 94 26 EC 00 keys available at http://www.nai.com/products/security/public_keys/pub_key_default.asp ________________________________________________________________________ _ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQA/AwUBNkS3qlbKusSUJuwAEQJzNACg7TTSDuipjmCrT78WMWKskdOkzgQAnAnq R4ka2Ne+CMK4FmyAt6qfExJu =paSA -----END PGP SIGNATURE-----